1. Field of the Invention
The present invention relates to session management, and more particularly to single sign-on session management across multiple servers without requiring a central session management server.
2. Description of the Related Art
As known in the field of electronic information access, it is common for protected resources on a server to require some form of authentication or certification before the protected resources are provided to a client user. As an example, the client user at a computer with a browser application, such as INTERNET EXPLORER or NETSCAPE, connects to the server over the Internet and attempts to access, down-load or view a protected resource. Before allowing access to the protected resource, the server must verify that the client user is allowed access to the protected resource. This may take the form of validating the user's credentials against a list of authorized users through a log-in process. Once the user is authenticated through the log-in process, the user is granted credentials and a session between the client and the server is established. It is common for a client user to want access to protected resources on multiple servers. Unless there is some form of sharing or communication between the servers, the client user must log-in to each of the servers. This is not particularly advantageous, and to overcome these disadvantages, single sign-on session management servers have been developed and fielded. Examples of these types of session management systems are the system provided by ENTRUST, of Plano Tex., called GETACCESS, and the system provided by NETEGRITY of Waltham Mass., called NETEGRITY SITEMINDER. It is common with these types of single sign-on session management systems to use a central session management server, connected to the protected resource servers. In some configurations, central session management is hosted on a single server. In other configurations, a number of servers host the central session management, with the individual servers inter-connected and acting as a single logical server. A single logical server requires an exchange of information between the individual servers to maintain a consistent data set.
The central session management server validates the session credentials of client users. This system architecture allows a single sign-on and shared use of the session credentials. However, a central session management server is a potential single point for managing and controlling all sessions in the system and is therefore vulnerable as a single point of failure. A central session management server can also limit network performance for session updates. As a network scales, there are more applications in the single sign-on environment and more traffic to and from the session manager. Therefore, in addition to being a single point of failure, this type of architecture with a central session management server can impose additional network traffic loads. The additional network traffic loads can have a significant effect when session management is distributed over a wide area network, where bandwidth tends to be more restricted than over a local area network.
One of the reasons that systems use a central session management server is to provide a central location to check for session invalidity. This requires a check for credential invalidity each time a client accesses a server application. However, session invalidity is a very rare event. Therefore, checking for credential validity creates a significant volume of overhead to detect a rare event.
What is needed is a system and method that provides single session sign-on without requiring a central session management server, without providing a single point of failure, or without the associated network traffic load.
The preceding description is not to be construed as an admission that any of the description is prior art relative to the present invention.